Cybercriminals Known as ToddyCat Utilize Replaceable Malware in Targeting Asian Telecommunications

A recently uncovered operation known as “Stayin’ Alive” has been actively targeting government bodies and telecommunications providers in various Asian countries since 2021. This campaign employs a range of quickly replaceable malware tools to avoid detection.

The majority of these attacks, observed by cybersecurity company Check Point, are concentrated in countries such as Kazakhstan, Uzbekistan, Pakistan, and Vietnam, with the campaign ongoing.

The attacks are believed to be orchestrated by a Chinese espionage group referred to as ‘ToddyCat,’ which employs spear-phishing messages containing malicious attachments to deploy diverse malware loaders and backdoors.

Researchers have determined that these threat actors utilize multiple customized tools that are likely disposable to remain undetected and prevent the linkage of attacks.

The attack sequence commences with a spear-phishing email designed to target specific individuals within critical organizations, urging them to open an attached ZIP file. Inside the archive is an executable file with a matching name to the email context and a malicious DLL exploiting a vulnerability (CVE-2022-23748) in Audinate’s Dante Discovery software. This DLL loads the “CurKeep” malware onto the system.

CurKeep is a lightweight backdoor that establishes persistence on the compromised device, sends system information to a command-and-control (C2) server, and awaits further instructions. It can retrieve a directory list of the victim’s installed software, execute commands, and send the results to the C2 server, all while carrying out file-based tasks directed by its operators.

In addition to CurKeep, the campaign employs various tools, primarily loaders, executed using similar DLL side-loading techniques. These include CurLu loader, CurCore, and CurLog loader, each with distinct functionalities and infection methods.

The security firm suggests that this newly discovered cluster may be part of a larger campaign involving more undisclosed tools and attack techniques. Despite the unique code characteristics of these tools, they all connect to the same infrastructure previously associated with ToddyCat, a Chinese cyber espionage group.